Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate options for certificate pinning bypass #16

Closed
baltpeter opened this issue Feb 16, 2023 · 31 comments
Closed

Investigate options for certificate pinning bypass #16

baltpeter opened this issue Feb 16, 2023 · 31 comments
Assignees
@baltpeter
Labels
research

Comments

@baltpeter
Copy link
Member

Currently, we're using objection on Android and SSL Kill Switch 2 on iOS.

I definitely also want to consider https://github.com/httptoolkit/frida-android-unpinning.
@baltpeter baltpeter mentioned this issue Feb 16, 2023
Closed
@baltpeter
Copy link
Member Author

There is also TrustMeAlready, which is an Xposed module. We should be able to get that running with LSPosed.

However, it only hooks TrustManagerImpl, making it a lot less powerful than the Frida scripts mentioned above:

https://github.com/ViRb3/TrustMeAlready/blob/043816e0c0080d188812deef67473a0e68a915f9/app/src/main/java/com/virb3/trustmealready/Main.java#L20

Also, the developer has abandoned the module and explicitly recommends using a Frida script instead:

ViRb3/TrustMeAlready#3 (comment)

@baltpeter
Copy link
Member Author

Anecdotally, I'd say I've seen quite a few more apps than previously report connection issues recently.

@baltpeter baltpeter self-assigned this Jun 15, 2023
@baltpeter
Copy link
Member Author

The last pinning-related change to objection was in Feb 2021: sensepost/objection@90044d7

@baltpeter baltpeter mentioned this issue Jun 15, 2023
Closed
@baltpeter
Copy link
Member Author

Okay, I now have 159 fresh APKs from the top 200 apps (not exactly a great success rate, but that's not what I'm looking into right now).

@baltpeter
Copy link
Member Author

Results from the very first test run on two apps:

Analyzing data/apks/ai.photo.enhancer.photoclear-30.apk (method: none)...
[
  {
    status: 'tlsFailed',
    context: {
      clientAddress: [Array],
      serverAddress: [Array],
      error: "The client disconnected during the handshake. If this happens consistently for pagead2.googlesyndication.com, this may indicate that the client does not trust the proxy's certificate."
    }
  },
  {
    status: 'tlsFailed',
    context: {
      clientAddress: [Array],
      serverAddress: [Array],
      error: 'connection closed early'
    }
  }
]
Analyzing data/apks/ai.photo.enhancer.photoclear-30.apk (method: objection)...
[]
Analyzing data/apks/ai.photo.enhancer.photoclear-30.apk (method: httptoolkit)...
[]

Analyzing data/apks/canvasm.myo2-73100.apk (method: none)...
[
  {
    status: 'tlsFailed',
    context: {
      clientAddress: [Array],
      serverAddress: [Array],
      error: "The client does not trust the proxy's certificate for apps.o2online.de (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"
    }
  },
  {
    status: 'tlsFailed',
    context: {
      clientAddress: [Array],
      serverAddress: [Array],
      error: "The client does not trust the proxy's certificate for apps.o2online.de (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"
    }
  },
  {
    status: 'tlsFailed',
    context: {
      clientAddress: [Array],
      serverAddress: [Array],
      error: "The client does not trust the proxy's certificate for config.eu.usercentrics.eu (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"
    }
  },
  {
    status: 'tlsFailed',
    context: {
      clientAddress: [Array],
      serverAddress: [Array],
      error: "The client does not trust the proxy's certificate for app.eu.usercentrics.eu (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"
    }
  }
]
Analyzing data/apks/canvasm.myo2-73100.apk (method: objection)...
[
  {
    status: 'tlsFailed',
    context: {
      clientAddress: [Array],
      serverAddress: [Array],
      error: "The client does not trust the proxy's certificate for config.eu.usercentrics.eu (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"
    }
  },
  {
    status: 'tlsFailed',
    context: {
      clientAddress: [Array],
      serverAddress: [Array],
      error: "The client does not trust the proxy's certificate for app.eu.usercentrics.eu (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"
    }
  }
]
Analyzing data/apks/canvasm.myo2-73100.apk (method: httptoolkit)...
[
  {
    status: 'tlsFailed',
    context: {
      clientAddress: [Array],
      serverAddress: [Array],
      error: "The client does not trust the proxy's certificate for config.eu.usercentrics.eu (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"
    }
  },
  {
    status: 'tlsFailed',
    context: {
      clientAddress: [Array],
      serverAddress: [Array],
      error: "The client does not trust the proxy's certificate for app.eu.usercentrics.eu (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"
    }
  }
]

Looks like the analysis is going to work. I'll now only need to implement a database for saving the results and I can run the full analysis.

baltpeter added a commit to tweaselORG/experiments that referenced this issue Jun 16, 2023
@baltpeter
Certificate pinning bypass experiment on Android (tweaselORG/meta#16)
9c2f5e2
@baltpeter
Copy link
Member Author

baltpeter commented Jun 16, 2023
edited
Loading

Analysis is running. Source code: https://github.com/tweaselORG/experiments/tree/main/cert-pinning-bypass

This is going to take a while.

@baltpeter
Copy link
Member Author

First run is complete: https://github.com/tweaselORG/experiments/blob/0d27c1744f741de9fb5d88016d75b41813a50017/cert-pinning-bypass/data/results.db

But we can see that 200 apps are not enough to reach any meaningful conclusions. I'll have to download more apps.

@baltpeter
Copy link
Member Author

I'm now additionally downloading the top 30 apps of each category (other than games). With that, we should have ~1000 apps.

As a compromise to not have this take forever, I'll only run the new apps for 30 seconds per run (instead of 60).

@baltpeter
Copy link
Member Author

766 apps in total now. New analysis is running.

This was referenced Jun 17, 2023
Closed
Closed
Open
@baltpeter
Copy link
Member Author

Let's see what kinds of TLS errors we observed.

I used select distinct json_extract(value, '$.context.error') from runs, json_each(tlsErrors); as a base. But that unfortunately still gives me a list of 122 values because the error description contains the host, e.g.:

  • The client does not trust the proxy's certificate for apps.o2online.de (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))
  • The client does not trust the proxy's certificate for app.eu.usercentrics.eu (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))

Since the error messages are quite different, I don't think it makes sense to write a script to handle this automatically. I just removed duplicates manually.

There are only four (or five, if you count the one semi-duplicate with a different value in parentheses) different error types we observed:

  • The client disconnected during the handshake. If this happens consistently for pagead2.googlesyndication.com, this may indicate that the client does not trust the proxy's certificate.
  • The client does not trust the proxy's certificate for config.eu.usercentrics.eu (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))
  • connection closed early
  • The client does not trust the proxy's certificate for apps.mzstatic.com (tlsv1 alert unknown ca)
  • Client and mitmproxy cannot agree on a TLS version to use. You may need to adjust mitmproxy's tls_version_client_min option.

@baltpeter
Copy link
Member Author

baltpeter commented Jun 22, 2023
edited
Loading

EDIT: The numbers here are wrong, see #16 (comment).

Here are the statistics of in how many apps we observed each error type per method:

Apps per method with TLS error "The client disconnected during the handshake": [
  { method: 'httptoolkit', appCount: 70 },
  { method: 'none', appCount: 56 },
  { method: 'objection', appCount: 71 }
]
Apps per method with TLS error "The client does not trust the proxy''s certificate": [
  { method: 'httptoolkit', appCount: 74 },
  { method: 'none', appCount: 88 },
  { method: 'objection', appCount: 76 }
]
Apps per method with TLS error "connection closed early": [
  { method: 'httptoolkit', appCount: 56 },
  { method: 'none', appCount: 48 },
  { method: 'objection', appCount: 54 }
]
Apps per method with TLS error "Client and mitmproxy cannot agree on a TLS version to use": [
  { method: 'httptoolkit', appCount: 1 },
  { method: 'none', appCount: 1 }
]

Apps per method with any TLS error: [
  { method: 'httptoolkit', appCount: 105 },
  { method: 'none', appCount: 115 },
  { method: 'objection', appCount: 103 }
]

Looking at that, there seems to be little difference between objection and the HTTP Toolkit script.

But I am a bit confused as for how to interpret the errors. Both unpinning scripts solve at least some of the The client does not trust the proxy's certificate errors, as expected (though fewer than I would have expected). But there are actually more The client disconnected during the handshake and connection closed early errors with our unpinning scripts. (I'm pretty sure we can ignore Client and mitmproxy cannot agree on a TLS version to use here.)

For reference: The analysis ran for 694 apps (select count(distinct appId) from runs;).

@baltpeter
Copy link
Member Author

I also observed how many apps had crashed after the 30/60 seconds:

Crashes per method: [
  { method: 'httptoolkit', crashCount: 39 },
  { method: 'none', crashCount: 35 },
  { method: 'objection', crashCount: 46 }
]

Now, we shouldn't consider the absolute numbers too much, I'm not sure how correct they are (I checked whether the foreground app ID matched the current app ID, but I think I saw some apps that were reported as crashing because they had a modal open).

But the relative numbers are interesting. Seems like the HTTP Toolkit script crashes fewer apps than objection.

@baltpeter
Copy link
Member Author

Unfortunately, our mitmproxy script didn't capture the hostnames in machine-readable form, so I'll have to parse them out of the error message to analyse them. Unfortunate, but not the end of the world.

Looking at the code that produces the error messages, I'm guessing the problem is that we're not collecting conn.sni:

https://github.com/mitmproxy/mitmproxy/blob/077c771ae948e3ec4fbd8e8c1e607553bab508da/mitmproxy/proxy/layers/tls.py#L613-L616

Makes sense, SNI is very common.

@baltpeter

This comment was marked as outdated.

Sign in to view
@baltpeter
Copy link
Member Author

Actually, I had a counting error in #16 (comment)! I was searching for "The client does not trust the proxy's certificate". But apparently SQLite's like operator is case-insensitive by default, so that also counted the "The client disconnected during the handshake" errors (which contain the same string later on but with a lower-case "the").

With that fixed, the results now look more favourably for the unpinning scripts:

Apps per method with TLS error "The client disconnected during the handshake": [
  { method: 'httptoolkit', appCount: 70 },
  { method: 'none', appCount: 56 },
  { method: 'objection', appCount: 71 }
]
Apps per method with TLS error "The client does not trust the proxy''s certificate for": [
  { method: 'httptoolkit', appCount: 4 },
  { method: 'none', appCount: 33 },
  { method: 'objection', appCount: 5 }
]
Apps per method with TLS error "connection closed early": [
  { method: 'httptoolkit', appCount: 56 },
  { method: 'none', appCount: 48 },
  { method: 'objection', appCount: 54 }
]
Apps per method with TLS error "Client and mitmproxy cannot agree on a TLS version to use": [
  { method: 'httptoolkit', appCount: 1 },
  { method: 'none', appCount: 1 }
]
Apps per method with any TLS error: [
  { method: 'httptoolkit', appCount: 105 },
  { method: 'none', appCount: 115 },
  { method: 'objection', appCount: 103 }
]

Both actually fix almost all the errors that are definitely certificate pinning-related ("The client does not trust the proxy's certificate for *"). I still don't know how to interpret the "The client disconnected during the handshake" errors.

@baltpeter baltpeter mentioned this issue Jun 23, 2023
Closed
@baltpeter
Copy link
Member Author

I wrote my first custom bypass in #31. For that case at least, that really wasn't bad at all.

In the results, there are barely any other apps with the clear error left.

Anydesk had errors for an IP address, which seems like more trouble than it's worth:

[{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",43658],"serverAddress":["49.12.130.237",443],"error":"The client does not trust the proxy's certificate for 49.12.130.237:443 (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",40054],"serverAddress":["49.12.130.237",80],"error":"The client does not trust the proxy's certificate for 49.12.130.237:80 (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",39142],"serverAddress":["49.12.130.237",6568],"error":"The client does not trust the proxy's certificate for 49.12.130.237:6568 (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",43662],"serverAddress":["49.12.130.237",443],"error":"The client does not trust the proxy's certificate for 49.12.130.237:443 (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",40062],"serverAddress":["49.12.130.237",80],"error":"The client does not trust the proxy's certificate for 49.12.130.237:80 (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",39144],"serverAddress":["49.12.130.237",6568],"error":"The client does not trust the proxy's certificate for 49.12.130.237:6568 (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",43672],"serverAddress":["49.12.130.237",443],"error":"The client does not trust the proxy's certificate for 49.12.130.237:443 (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",40064],"serverAddress":["49.12.130.237",80],"error":"The client does not trust the proxy's certificate for 49.12.130.237:80 (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",39154],"serverAddress":["49.12.130.237",6568],"error":"The client does not trust the proxy's certificate for 49.12.130.237:6568 (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",43686],"serverAddress":["49.12.130.237",443],"error":"The client does not trust the proxy's certificate for 49.12.130.237:443 (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",40070],"serverAddress":["49.12.130.237",80],"error":"The client does not trust the proxy's certificate for 49.12.130.237:80 (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",39158],"serverAddress":["49.12.130.237",6568],"error":"The client does not trust the proxy's certificate for 49.12.130.237:6568 (tlsv1 alert unknown ca)"}}]

Apple Music might be worth a look but I doubt that their mechanism will be applicable for any non-Apple apps and there aren't that many Apple apps on Android:

[{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47018],"serverAddress":["23.192.152.19",443],"error":"The client does not trust the proxy's certificate for init.itunes.apple.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47028],"serverAddress":["23.192.152.19",443],"error":"The client does not trust the proxy's certificate for apps.mzstatic.com (tlsv1 alert unknown ca)"}}]

And finally, Commerzbank crashes anyway on rooted devices:

[{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47122],"serverAddress":["212.149.50.16",443],"error":"The client does not trust the proxy's certificate for app.commerzbank.de (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}}]

@baltpeter
Copy link
Member Author

Instead, I'll look into the The client disconnected during the handshake. errors. Those are the ones I don't really understand yet. Are they also related to certificate pinning and do we need to worry about those or can they just happen every now and again?

Let's start with de.burgerking.kingfinder. That was reporting this error for *.sanity.io:

[
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 45830],
            "serverAddress": ["34.102.211.197", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for czqk28jt.apicdn.sanity.io, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 45834],
            "serverAddress": ["34.102.211.197", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for czqk28jt.apicdn.sanity.io, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 42694],
            "serverAddress": ["35.190.70.79", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for cdn.sanity.io, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 42702],
            "serverAddress": ["35.190.70.79", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for cdn.sanity.io, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 42708],
            "serverAddress": ["35.190.70.79", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for cdn.sanity.io, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 42720],
            "serverAddress": ["35.190.70.79", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for cdn.sanity.io, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 42728],
            "serverAddress": ["35.190.70.79", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for cdn.sanity.io, this may indicate that the client does not trust the proxy's certificate."
        }
    }
]

Now, curiously, I just started this app without any bypass (but using HTTP Toolkit instead of mitmproxy) and those requests worked just fine:

image

@baltpeter
Copy link
Member Author

It's not due to something being different in HTTP Toolkit. Same thing in mitmproxy:

image

And no errors regarding this domain were logged either.

@baltpeter
Copy link
Member Author

Also works in mitmproxy if I use the bypass script. So it seems like at least for this app, the error was just a fluke and is nothing that we need to worry about.

@baltpeter
Copy link
Member Author

Next up de.casparwre.insult:

[
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 39412],
            "serverAddress": ["142.250.186.99", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for www.gstatic.com, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 39424],
            "serverAddress": ["142.250.186.99", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for www.gstatic.com, this may indicate that the client does not trust the proxy's certificate."
        }
    }
]

I had to try multiple times to get it to do any connections to gstatic.com, in most runs it just didn't even try to connect that. But in one run, I did see the error again:

[17:42:14.827][10.0.0.1:39862] Client TLS handshake failed. The client disconnected during the handshake. If this happens consistently for www.gstatic.com, this may indicate that the client does not trust the proxy's certificate.
[17:42:14.827][10.0.0.1:39866] Client TLS handshake failed. The client disconnected during the handshake. If this happens consistently for www.gstatic.com, this may indicate that the client does not trust the proxy's certificate.
[17:42:15.520][10.0.0.1:48856] Client TLS handshake failed. The client disconnected during the handshake. If this happens consistently for csi.gstatic.com, this may indicate that the client does not trust the proxy's certificate.

But mitmproxy did also successfully intercept requests to that domain:

image

So, this again seems more like a hiccup than an actual problem we need to deal with.

@baltpeter
Copy link
Member Author

Next up de.dm.fotoparadies. This one had quite a few errors:

[
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 38802],
            "serverAddress": ["193.169.76.13", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for www.fotoparadies.de, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 40680],
            "serverAddress": ["193.169.77.7", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for delapi.photoprintit.com, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 40634],
            "serverAddress": ["193.169.77.7", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for delapi.photoprintit.com, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 40662],
            "serverAddress": ["193.169.77.7", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for dls.photoprintit.com, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 40696],
            "serverAddress": ["193.169.77.7", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for delapi.photoprintit.com, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 48932],
            "serverAddress": ["63.140.62.160", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for cewecolor.sc.omtrdc.net, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 40632],
            "serverAddress": ["193.169.77.7", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for delapi.photoprintit.com, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 40672],
            "serverAddress": ["193.169.77.7", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for delapi.photoprintit.com, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 40666],
            "serverAddress": ["193.169.77.7", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for delapi.photoprintit.com, this may indicate that the client does not trust the proxy's certificate."
        }
    }
]

Without a bypass, these all went through fine and without any errors logged. And again same thing with the bypass script.

@baltpeter
Copy link
Member Author

I'll try a few more to be sure. These were the errors logged for de.mdr.smartphone.android.mdrsachsen:

[
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 39602],
            "serverAddress": ["23.42.197.95", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for cdn.mdr.de, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 39622],
            "serverAddress": ["23.42.197.95", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for cdn.mdr.de, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 39626],
            "serverAddress": ["23.42.197.95", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for cdn.mdr.de, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 38816],
            "serverAddress": ["142.251.32.97", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for cdn.ampproject.org, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 38802],
            "serverAddress": ["142.251.32.97", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for cdn.ampproject.org, this may indicate that the client does not trust the proxy's certificate."
        }
    }
]

I am seeing the same errors logged, but requests to the same hosts are in fact going through:

image

@baltpeter
Copy link
Member Author

Let's do de.wetteronline.regenradar:

[
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 44960],
            "serverAddress": ["142.250.186.129", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for tpc.googlesyndication.com, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 37126],
            "serverAddress": ["172.217.16.194", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for pagead2.googlesyndication.com, this may indicate that the client does not trust the proxy's certificate."
        }
    }
]
  1. First attempt: No errors logged this time and the requests to these hosts are going through.
  2. Second attempt: One error logged for tpc.googlesyndication.com, but I am seeing requests to that host.

@baltpeter
Copy link
Member Author

One more. com.classiccard.app:

[
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 43870],
            "serverAddress": ["54.186.23.98", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for r.stripe.com, this may indicate that the client does not trust the proxy's certificate."
        }
    },
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 43878],
            "serverAddress": ["54.186.23.98", 443],
            "error": "The client disconnected during the handshake. If this happens consistently for r.stripe.com, this may indicate that the client does not trust the proxy's certificate."
        }
    }
]

Same old, same old. I am seeing errors logged for r.stripe.com, but the requests are still working just fine.

@baltpeter
Copy link
Member Author

baltpeter commented Jun 23, 2023
edited
Loading

Okay, with that, I am pretty sure that we can just disregard the "The client disconnected during the handshake." errors.

There may be cases where these are an actual cert pinning problem, but I didn't find any of those.

@baltpeter
Copy link
Member Author

And I'd guess that the "connection closed early" ones are also only intermittent and not related to cert pinning.

Example of this error as reported during the analysis (for com.canva.editor):

[
    {
        "status": "tlsFailed",
        "context": {
            "clientAddress": ["10.0.0.1", 48864],
            "serverAddress": ["104.16.227.10", 443],
            "error": "connection closed early"
        }
    }
]

I started a few apps (com.canva.editor, de.cellular.ottohybrid, io.mapgenie.diablo4map) that reported this error during the analysis a few times to verify that.

I didn't observe any "connection closed early"s this time. With that, I'm pretty happy to conclude that we don't need to worry about those, either.

@baltpeter
Copy link
Member Author

Okay, to give this a little conclusion for now: I'm now pretty sure now that The client does not trust the proxy's certificate is the only error related to cert pinning and the only one we need to worry about.

For that one, both objection and the HT script are pretty good:

Apps per method with TLS error "The client does not trust the proxy''s certificate for": [
  { method: 'httptoolkit', appCount: 4 },
  { method: 'none', appCount: 33 },
  { method: 'objection', appCount: 5 }
]

I'd say we do switch to the HT script (it seems more actively maintained, is not worse and maybe even a little better than objection, and it saves us from all the trouble we had with keeping objection's process around (tweaselORG/appstraction#101, tweaselORG/appstraction#24)).

Other than that, I'm now feeling pretty confident that we'll be able to write our own bypasses for the pinning problems we will encounter. But I don't think we need to invest too much effort into that for the moment (I was in the mood for writing a few bypasses, but really struggled to find any apps where that was necessary :D).

@baltpeter
Copy link
Member Author

One more thing to consider: In my previous run, I excluded the games categories (games tend to be quite large, which I wanted to avoid). But we should see whether they maybe employ different pinning techniques. I've now reincluded the main "Games" category and am downloading the apps for that.

@baltpeter
Copy link
Member Author

baltpeter commented Jun 26, 2023
edited
Loading

This has finally forced me to fix the platform in the download code. googleplay by default assumes an x86 device. But many games aren't available for that (and I'm running on a physical device, which uses arm64!).

I didn't bother to redownload the x86-only apps I already had.

@baltpeter
Copy link
Member Author

baltpeter commented Jun 27, 2023
edited
Loading

The results for the extended run with games are in. I've now analysed 1046 apps.

Crashes per method

[
  { method: 'httptoolkit', crashCount: 55 },
  { method: 'none', crashCount: 49 },
  { method: 'objection', crashCount: 70 }
]

Pattern stays the same. We still shouldn't trust the absolute numbers but the HT script is still a lot less prone to making apps crash.

Observed TLS errors per method and app

Apps per method with TLS error "The client disconnected during the handshake": [
  { method: 'httptoolkit', appCount: 111 },
  { method: 'none', appCount: 98 },
  { method: 'objection', appCount: 123 }
]
Apps per method with TLS error "The client does not trust the proxy''s certificate for": [
  { method: 'httptoolkit', appCount: 8 },
  { method: 'none', appCount: 47 },
  { method: 'objection', appCount: 9 }
]
Apps per method with TLS error "connection closed early": [
  { method: 'httptoolkit', appCount: 93 },
  { method: 'none', appCount: 90 },
  { method: 'objection', appCount: 101 }
]
Apps per method with TLS error "Client and mitmproxy cannot agree on a TLS version to use": [
  { method: 'httptoolkit', appCount: 3 },
  { method: 'none', appCount: 3 },
  { method: 'objection', appCount: 2 }
]
Apps per method with any TLS error: [
  { method: 'httptoolkit', appCount: 171 },
  { method: 'none', appCount: 196 },
  { method: 'objection', appCount: 180 }
]

As we determined, only the "The client does not trust the proxy's certificate for" errors matter for us. We now have the following four additional apps that the HT script can't (fully) unpin:

com.opera.app.news:

[{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",43520],"serverAddress":["185.26.181.241",443],"error":"The client does not trust the proxy's certificate for global-turbo2-1.opera-mini.net (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",45926],"serverAddress":["185.26.181.220",443],"error":"The client does not trust the proxy's certificate for global-turbo2.opera-mini.net (tlsv1 alert unknown ca)"}}]

com.roblox.client:

[{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",39384],"serverAddress":["2.20.215.226",443],"error":"The client does not trust the proxy's certificate for clientsettingscdn.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41520],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41546],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41530],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41556],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for ephemeralcounters.api.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41578],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41558],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for ephemeralcounters.api.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41592],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41606],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for locale.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41618],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for catalog.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41644],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for avatar.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41630],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for avatar.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41572],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41662],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41646],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for thumbnails.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41666],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41668],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41674],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for locale.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41678],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for catalog.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41684],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for avatar.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41698],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41688],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for avatar.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41700],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41716],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41722],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for locale.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41736],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for avatar.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41734],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for catalog.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41748],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41764],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for avatar.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41776],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41792],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for apis.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41800],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for locale.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41814],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for avatar.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41826],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for catalog.roblox.com (tlsv1 alert unknown ca)"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41840],"serverAddress":["128.116.44.4",443],"error":"The client does not trust the proxy's certificate for avatar.roblox.com (tlsv1 alert unknown ca)"}}]

com.snapchat.android:

[{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",43336],"serverAddress":["35.241.16.93",443],"error":"The client does not trust the proxy's certificate for bolt-gcdn.sc-cdn.net (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",38056],"serverAddress":["108.156.0.245",443],"error":"The client does not trust the proxy's certificate for cf-st.sc-cdn.net (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49404],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",43338],"serverAddress":["35.241.16.93",443],"error":"The client does not trust the proxy's certificate for bolt-gcdn.sc-cdn.net (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49420],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49430],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49432],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49438],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49452],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",38060],"serverAddress":["108.156.0.245",443],"error":"The client does not trust the proxy's certificate for cf-st.sc-cdn.net (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49466],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49474],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49486],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49494],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",43352],"serverAddress":["35.241.16.93",443],"error":"The client does not trust the proxy's certificate for bolt-gcdn.sc-cdn.net (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49496],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49504],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49508],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49510],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49514],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",43366],"serverAddress":["35.241.16.93",443],"error":"The client does not trust the proxy's certificate for bolt-gcdn.sc-cdn.net (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49518],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49528],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49530],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49542],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49554],"serverAddress":["3.251.220.173",443],"error":"The client does not trust the proxy's certificate for aws.api.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49410],"serverAddress":["3.251.220.173",443],"error":"The client disconnected during the handshake. If this happens consistently for aws.api.snapchat.com, this may indicate that the client does not trust the proxy's certificate."}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49556],"serverAddress":["3.251.220.173",443],"error":"The client disconnected during the handshake. If this happens consistently for aws.api.snapchat.com, this may indicate that the client does not trust the proxy's certificate."}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",38168],"serverAddress":["35.244.195.33",443],"error":"The client does not trust the proxy's certificate for app-analytics-v2.snapchat.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49572],"serverAddress":["3.251.220.173",443],"error":"The client disconnected during the handshake. If this happens consistently for aws.api.snapchat.com, this may indicate that the client does not trust the proxy's certificate."}}]

com.zhiliaoapp.musically:

[{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47022],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api21-core-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",44172],"serverAddress":["8.8.4.4",443],"error":"The client does not trust the proxy's certificate for dns.google (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",40994],"serverAddress":["23.38.98.9",443],"error":"The client does not trust the proxy's certificate for api16-normal-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49130],"serverAddress":["23.53.42.200",443],"error":"The client does not trust the proxy's certificate for api16-core-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",42070],"serverAddress":["146.75.122.73",443],"error":"The client does not trust the proxy's certificate for api21-normal-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47028],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47042],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47050],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47056],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47068],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47070],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47098],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",42472],"serverAddress":["2.20.142.67",443],"error":"The client does not trust the proxy's certificate for tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47082],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",45458],"serverAddress":["95.101.111.138",443],"error":"The client does not trust the proxy's certificate for log-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",45468],"serverAddress":["95.101.111.138",443],"error":"The client does not trust the proxy's certificate for log-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47106],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47122],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47136],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41006],"serverAddress":["23.38.98.9",443],"error":"The client does not trust the proxy's certificate for api16-normal-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47152],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",45470],"serverAddress":["95.101.111.138",443],"error":"The client does not trust the proxy's certificate for log-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47154],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47162],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47170],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47174],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47188],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47186],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47192],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47204],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47220],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",37412],"serverAddress":["95.101.111.162",443],"error":"The client does not trust the proxy's certificate for vcs-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47226],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47228],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47230],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47232],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",37424],"serverAddress":["95.101.111.162",443],"error":"The client does not trust the proxy's certificate for vcs-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41018],"serverAddress":["23.38.98.9",443],"error":"The client does not trust the proxy's certificate for api16-normal-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",42084],"serverAddress":["146.75.122.73",443],"error":"The client does not trust the proxy's certificate for api21-normal-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49144],"serverAddress":["23.53.42.200",443],"error":"The client does not trust the proxy's certificate for api16-core-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47234],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api21-core-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",44180],"serverAddress":["8.8.4.4",443],"error":"The client does not trust the proxy's certificate for dns.google.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",37426],"serverAddress":["95.101.111.162",443],"error":"The client does not trust the proxy's certificate for vcs-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47238],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for api19-va.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",44068],"serverAddress":["23.38.98.48",443],"error":"The client does not trust the proxy's certificate for tnc16-platform-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",44834],"serverAddress":["95.101.111.179",443],"error":"The client does not trust the proxy's certificate for tnc16-platform-useast1a.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",37432],"serverAddress":["95.101.111.162",443],"error":"The client does not trust the proxy's certificate for vcs-boot.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47244],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for log19-normal-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41384],"serverAddress":["34.98.103.214",443],"error":"The client does not trust the proxy's certificate for log22-normal-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47248],"serverAddress":["146.75.118.73",443],"error":"The client does not trust the proxy's certificate for rtlog19-normal-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41396],"serverAddress":["34.98.103.214",443],"error":"The client does not trust the proxy's certificate for rtlog22-normal-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",40444],"serverAddress":["34.149.167.221",443],"error":"The client does not trust the proxy's certificate for webcast22-ws-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",44036],"serverAddress":["95.101.111.134",443],"error":"The client does not trust the proxy's certificate for webcast16-ws-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",42100],"serverAddress":["146.75.122.73",443],"error":"The client does not trust the proxy's certificate for webcast19-normal-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49992],"serverAddress":["95.101.111.173",443],"error":"The client does not trust the proxy's certificate for webcast16-normal-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49148],"serverAddress":["23.53.42.200",443],"error":"The client does not trust the proxy's certificate for api16-core-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47620],"serverAddress":["34.102.215.99",443],"error":"The client does not trust the proxy's certificate for 34.102.215.99:443 (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",49158],"serverAddress":["23.53.42.200",443],"error":"The client does not trust the proxy's certificate for api16-core-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",45196],"serverAddress":["147.160.190.227",443],"error":"The client does not trust the proxy's certificate for api31-core-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47630],"serverAddress":["34.102.215.99",443],"error":"The client does not trust the proxy's certificate for 34.102.215.99:443 (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",38726],"serverAddress":["95.101.111.174",443],"error":"The client does not trust the proxy's certificate for api-boot.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",45206],"serverAddress":["147.160.190.227",443],"error":"The client does not trust the proxy's certificate for api31-core-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41026],"serverAddress":["23.38.98.9",443],"error":"The client does not trust the proxy's certificate for api16-normal-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",37024],"serverAddress":["139.177.227.225",443],"error":"The client does not trust the proxy's certificate for api31-normal-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47640],"serverAddress":["34.102.215.99",443],"error":"The client does not trust the proxy's certificate for 34.102.215.99:443 (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",47656],"serverAddress":["34.102.215.99",443],"error":"The client does not trust the proxy's certificate for 34.102.215.99:443 (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",41038],"serverAddress":["23.38.98.9",443],"error":"The client does not trust the proxy's certificate for api16-normal-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",37030],"serverAddress":["139.177.227.225",443],"error":"The client does not trust the proxy's certificate for api31-normal-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",43062],"serverAddress":["95.101.111.183",443],"error":"The client does not trust the proxy's certificate for search16-normal-c-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}},{"status":"tlsFailed","context":{"clientAddress":["10.0.0.1",45212],"serverAddress":["147.160.190.227",443],"error":"The client does not trust the proxy's certificate for search31-normal-alisg.tiktokv.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))"}}]

At least TikTok and Snapshot require app-specific bypasses that already exist but aren't included in the HT script: https://github.com/Eltion/Tiktok-SSL-Pinning-Bypass, https://github.com/Eltion/Snapchat-SSL-Pinning-Bypass

Domains with untrusted certificate without bypass

Set(94) {
  'config.eu.usercentrics.eu',
  'apps.o2online.de',
  'app.eu.usercentrics.eu',
  'api.amazon.com',
  'gw1.seal-one.com',
  'gw3.seal-one.com',
  'gw2.seal-one.com',
  'ecert.entersect.co.za',
  'connect-dre.hispace.hicloud.com',
  'app.kaufland.net',
  'appgateway.lidlplus.com',
  'config2.mparticle.com',
  'identity.mparticle.com',
  'app-api.klarna.com',
  'api-m.paypal.com',
  'www.paypalobjects.com',
  'b.stats.paypal.com',
  'p.paypal.com',
  'c.paypal.com',
  'api.twitter.com',
  'video.twimg.com',
  'pbs.twimg.com',
  'www.clickforbrand.de',
  'www.dhl.de',
  'mcd-mobileapp-prod.azureedge.net',
  'eu-prod.api.mcd.com',
  'connect-dre.dbankcloud.cn',
  'mobileconfigurationpublic.trendyol.com',
  'demeter-int-ecom-collect.trendyol.com',
  'browsingpublic.trendyol.com',
  'app.omc.advanzia.com',
  '49.12.130.237:443',
  '49.12.130.237:80',
  '49.12.130.237:6568',
  'init.itunes.apple.com',
  'apps.mzstatic.com',
  'www.commerzbank.de',
  'api.dropboxapi.com',
  'api-d.dropbox.com',
  'api.appewa.com',
  'auth-proxy.1und1.de',
  'app.commerzbank.de',
  'api1.finanzguru.de',
  'api.api.generalimobilehealth.com',
  'content.app.my.audi.com',
  'dcs.audi.com',
  'api.faceapp.io',
  'hosts.faceapp.io',
  'api.lovoo.com',
  'api.amazon.co.uk',
  'api.amazon.de',
  'katalk.kakao.com',
  'edge.microsoft.com',
  'self.events.data.microsoft.com',
  'config.edge.skype.com',
  'www.bing.com',
  'edge-conumer-static.azureedge.net',
  'superapp.msn.com',
  'www.wikipedia.org',
  'c.bingapis.com',
  'www.facebook.com',
  'global-turbo2-1.opera-mini.net',
  'global-turbo2.opera-mini.net',
  'apis.roblox.com',
  'ephemeralcounters.api.roblox.com',
  'lms.roblox.com',
  'catalog.roblox.com',
  'avatar.roblox.com',
  'thumbnails.roblox.com',
  'clientsettingscdn.roblox.com',
  'locale.roblox.com',
  'cf-st.sc-cdn.net',
  'bolt-gcdn.sc-cdn.net',
  'aws.api.snapchat.com',
  'app-analytics-v2.snapchat.com',
  'api.braintreegateway.com',
  'api21-core-c-alisg.tiktokv.com',
  'dns.google',
  'api21-normal-c-alisg.tiktokv.com',
  'api16-core-c-alisg.tiktokv.com',
  'api16-normal-c-alisg.tiktokv.com',
  'api19-va.tiktokv.com',
  'tiktokv.com',
  'log-va.tiktokv.com',
  'webcast-va.tiktokv.com',
  'dns.google.com',
  'mon.isnssdk.com',
  'tnc16-platform-alisg.tiktokv.com',
  'tnc16-platform-useast1a.tiktokv.com',
  'vcs-va.tiktokv.com',
  'app-api.meine.aok.de',
  'ibm.ru2.ibmepatest.de',
  'outage.bluepostbox.de',
  'myrawebgate.bluepostbox2.de'
}

Unsolved domains despite bypass (for either script)

Set(50) {
  'config.eu.usercentrics.eu',
  'app.eu.usercentrics.eu',
  'api.amazon.com',
  '49.12.130.237:443',
  '49.12.130.237:80',
  '49.12.130.237:6568',
  'init.itunes.apple.com',
  'apps.mzstatic.com',
  'app.commerzbank.de',
  'global-turbo2.opera-mini.net',
  'global-turbo2-1.opera-mini.net',
  'apis.roblox.com',
  'clientsettingscdn.roblox.com',
  'ephemeralcounters.api.roblox.com',
  'locale.roblox.com',
  'avatar.roblox.com',
  'thumbnails.roblox.com',
  'catalog.roblox.com',
  'cf-st.sc-cdn.net',
  'bolt-gcdn.sc-cdn.net',
  'aws.api.snapchat.com',
  'app-analytics-v2.snapchat.com',
  'dns.google',
  'api16-normal-c-alisg.tiktokv.com',
  'api16-core-c-alisg.tiktokv.com',
  'api21-normal-c-alisg.tiktokv.com',
  'api21-core-c-alisg.tiktokv.com',
  'api19-va.tiktokv.com',
  'log-va.tiktokv.com',
  'tiktokv.com',
  'vcs-va.tiktokv.com',
  'webcast-va.tiktokv.com',
  'tnc16-platform-alisg.tiktokv.com',
  'tnc16-platform-useast1a.tiktokv.com',
  'vcs-boot.tiktokv.com',
  'log19-normal-alisg.tiktokv.com',
  'log22-normal-alisg.tiktokv.com',
  'rtlog19-normal-alisg.tiktokv.com',
  'rtlog22-normal-alisg.tiktokv.com',
  'webcast22-ws-alisg.tiktokv.com',
  'webcast16-ws-alisg.tiktokv.com',
  'webcast19-normal-c-alisg.tiktokv.com',
  'webcast16-normal-c-alisg.tiktokv.com',
  'api31-core-alisg.tiktokv.com',
  '34.102.215.99:443',
  'api-boot.tiktokv.com',
  'api31-normal-alisg.tiktokv.com',
  'search16-normal-c-alisg.tiktokv.com',
  'search31-normal-alisg.tiktokv.com',
  'dns.google.com'
}

Comparing the solved domains per method

Both objection and the HT script "solved" 61 domains each (i.e. those domains had a TLS error due to certificate pinning in the run without a bypass but not in the run with the respective script).

The sets of their solved domains are almost identical. It's not unlikely that the two differences we did observe are false-positives (after all it is very plausible that an app doesn't try to contact the exact same domains on each run, and we already know that TikTok should require a specific bypass not included in objection):

Comparing solved domains between objection and httptoolkit: { added: [ 'webcast-va.tiktokv.com' ], removed: [ 'dns.google.com' ] }

Note that I still used the old version of the HT script without my recent changes for the new apps.

@baltpeter baltpeter mentioned this issue Jul 3, 2023
Closed
@baltpeter
Copy link
Member Author

I've opened tweaselORG/appstraction#111 to switch to the HT script in appstraction. I think with that, we can consider this done for now.

@baltpeter baltpeter mentioned this issue Jul 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@baltpeter baltpeter

Labels
research
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@baltpeter